CVE-2024-23525 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 32%

Vendor	Product	Version
tozt	spreadsheet\	𝑥 < 0.30

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

libspreadsheet-parsexlsx-perl

bullseye	0.27-2.1+deb11u2 fixed
bookworm	0.27-3+deb12u2 fixed
sid	0.36-1 fixed
trixie	0.36-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

libspreadsheet-parsexlsx-perl

noble	not-affected
mantic	Fixed 0.27-3+deb12u2build0.23.10.1 released
lunar	ignored
jammy	Fixed 0.27-2.1+deb11u2build0.22.04.1 released
focal	Fixed 0.27-2+deb10u1build0.20.04.1 released
bionic	ignored
xenial	ignored
trusty	ignored

Known Exploits!

Common Weakness Enumeration

CWE-611 - Improper Restriction of XML External Entity Reference
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References

http://www.openwall.com/lists/oss-security/2024/01/18/4

https://gist.github.com/phvietan/d1c95a88ab6e17047b0248d6bf9eac4a

https://github.com/MichaelDaum/spreadsheet-parsexlsx/issues/10

https://lists.debian.org/debian-lts-announce/2024/01/msg00018.html

https://metacpan.org/release/NUDDLEGG/Spreadsheet-ParseXLSX-0.30/changes

https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html

http://www.openwall.com/lists/oss-security/2024/01/18/4

https://gist.github.com/phvietan/d1c95a88ab6e17047b0248d6bf9eac4a

https://github.com/MichaelDaum/spreadsheet-parsexlsx/issues/10

https://lists.debian.org/debian-lts-announce/2024/01/msg00018.html

https://metacpan.org/release/NUDDLEGG/Spreadsheet-ParseXLSX-0.30/changes

https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html